KB Article | Forcepoint Support

Notes & Warnings

  • User/Group filtering is only be available for http, https, and ftp traffic generated by the Citrix Users.  All other protocol filtering by the Network Agent can only be applied via Global/Default or IP based policies.
  • If you have the second Network Agent plugged into the same switch doing port monitoring and sending to multiple span destinations, follow the steps below:
    • Set the second Network Agent (monitoring Citrix traffic) to ignore domain users.
    • Set the first Network Agent (monitoring domain users) to ignore Citrix users.
  • Although only one user may be browsing for each outgoing web request, reporting components (Investigative Reports & Presentation Reports) will show both the username and the Citrix server IP address as two different users browsing to the same URL. In order to avoid this situation take the appropriate action:
  • Login to Forcepoint Manager and add the IP address of the Citrix Server(s) in the proxy settings for Network Agent.  This is located under settings > Network Agent > Global Settings > Proxy/Cache Machines field.

Problem Description

My current deployment is Websense Stand-Alone. I can only filter http, https, and ftp traffic from the Citrix plug-in. How do I filter protocol traffic from my Citrix users?


This configuration is for Stand-Alone only. The Citrix plug-in can only send username/ip information, http, https, and ftp traffic. To avoid double filtering with the current Stand-Alone Filtering Service + Network Agent, you will need to enter exceptions on the monitoring interface for all Citrix servers running the Citrix plug-in. You will then need a second Filtering Service and Network Agent integrated with Citrix. The "integrated" Network Agent is needed so that it will only monitor/block "protocol" traffic, not http. A second stand-alone Network Agent will not work as you do not want NA monitoring HTTP traffic that the Citrix Plug-in are already forwarding to the Filtering Service.
  • Another port span is needed to mirror traffic coming from the Citrix Server(s).  This can be on the existing switch or another switch the Citrix traffic traverses.
  • For versions 7.6 to 8.5 and later: deploy a new Citrix Client profile with the new IP address. See Integrating Forcepoint URL Filtering with Citrix for information.
  • For versions 7.5.x and earlier: in the wscitrix.ini file, located in the ...\websense\bin directory of the Citrix Server(s), edit the Filtering Service IP to point to the new Filtering Service integrated with Citrix, then restart the Citrix plug-in service.
  • The new Network Agent will handle the protocol traffic while the Citrix plug-in is still handling the username/ip information, http, https, and ftp traffic.
Additional Info:
  • In v7.6.x and later, Citrix integration does not use the WsCitrix.ini file.
  • Before upgrading an existing installation to v7.6.x, use Windows Add/Remove Programs on the Citrix server to remove the existing (previous version) Citrix Integration Service.
  • If you find a WsCitrix.ini file on a v7.6.x machine, old components were not removed properly.
  • If adding the Filtering Service IP address to a WsCitrix.ini file fixes a problem after v7.6.x installation, you’ve just re-enabled the v7.5.x Citrix integration, and your new, v7.6.x Citrix Integration Service is not being used. (It may, however, be degrading the performance of your v7.5.x components.) To fix the problem, completely remove Websense components from the Citrix server, and then deploy the v7.6.x Citrix Integration Service again.

Keywords:  citrix plug-in; citrix; vdi; integration; protocol filtering

Article Feedback

Thank you for the feedback and comments.